• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1600
  • Last Modified:

Vyatta - Issues with Tunnels

Hello,
I have 2 vyatta routers. Location A, and Location B.

Location A has BGP with a /20 of ipv4 ip space routed to it.

Location B is an office router which should allow for us to use our ips within our office.

We have setup a tunnel between location A and location B which we can ping across without an issue. The tunnel seems to function as desired.

When we statically route segments of the /20 of ips from location a to location b, we run into problems.

The question is, how do we setup a VPN tunnel that pushes our ips over it from Location A to Location B, and then returns all of the packets from Location B back to location A?

We are using Vyatta 6.3 open source. Please provide us with a step by step example of how to accomplish this.

Worth 500 points.

Thanks,
Rick
0
richardsimnett
Asked:
richardsimnett
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Hi

Not to familiar with the vyatta platform but I'm sure the principle remain the same

Please could you elaborate more by answering these questions

- What is the tunnel mode? IPSec Transport/Tunnel mode; GRE; etc
- What sort of transport is between A and B? Internet; Enterprise Network; MPLS cloud; Lead line etc
- What EGP/IGP is run between A and B? BGP;OSPF;RIP
- What EGP/IGP is run between tunnel interfaces at A and B? BGP;OSPF;RIP



0
 
richardsimnettAuthor Commented:
Currently, the tunnel mode is ipsec, over ip to ip.

The transport between the two routers is internet, Location A is a router in our colocation facility in Miami, Location B is comcast business (50mb/10mb).

WE although both routers support EGP/IGP (BGP,OSPF,RIP), we are not using either of these over the tunnel.

0
 
lrmooreCommented:
The tunnel traffic definitions must include traffic
From Any to host @ location B
and
From host @ location B to any
As well the nat/no-nat rules have to match.
Typically over a tunnel, the traffic is only local lan <--> local lan
Problem with that is that Location B has its own Internet connection which I assume is used by the server. You might have to get creative with the nat rules and the tunnel access-lists to make sure only host/port xyz gets pushed through the tunnel in both directions...
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Nayyar HH (CCIE RS)Network ArchitectCommented:

It appears the definition of "interesting traffic" on the end-points might be the cuplprits - be sure to exclude what should go over tunnel (encrypted) - everything else would go out in the clear

See this link (left hand side configuration for vyatta)

http://www.carbonwind.net/VyattaOFR/VyattaCiscos2stunmode/VyattaCiscos2stunmode.htm

 
0
 
berkcomjonathanCommented:
Can you post the relavent configuration for location A and location B routers?
0
 
richardsimnettAuthor Commented:
Sure:

Location A's Configuration


interfaces {
    ethernet eth0 {
        address 69.60.125.150/23
        duplex auto
        hw-id 52:54:00:59:18:fc
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 172.17.0.1/32
    }
    tunnel tun0 {
        address 10.2.2.5/30
        encapsulation ipip
        local-ip 172.17.0.1
        multicast disable
        remote-ip 172.17.0.2
        ttl 255
    }
}
protocols {
    bgp 12149 {
        neighbor 64.251.7.97 {
            ebgp-multihop 10
            remote-as 15083
        }
        network 216.255.176.0/20 {
        }
    }
    static {
        interface-route 216.255.176.0/28 {
            next-hop-interface eth0 {
            }
        }
        interface-route 216.255.177.0/24 {
            next-hop-interface tun0 {
            }
        }
    }
}
service {
    ssh {
        port 32420
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name novarix.net
    gateway-address 69.60.124.1
    host-name miami
    ip {
        arp {
            table-size 16384
        }
    }
    login {
        banner {
            post-login "\n\n\tWelcome Master!\n"
            pre-login "\n\n\tUNAUTHORIZED USE OF THIS SYSTEMnIS PROHIBITED!\n"
        }



Location B's Configuration:

interfaces {
    ethernet eth0 {
        address 50.73.136.21/30
        duplex auto
        hw-id 52:54:00:00:38:3c
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 216.255.177.1/24
        duplex auto
        hw-id 54:54:00:00:38:3c
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 172.17.0.2/32
    }
    tunnel tun1 {
        address 10.2.2.6/30
        encapsulation ipip
        local-ip 172.17.0.2
        multicast disable
        remote-ip 172.17.0.1
        ttl 255
    }
}
protocols {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface tun1 {
            }
        }
        interface-route 216.255.176.0/20 {
            next-hop-interface tun1 {
            }
        }
        route 10.2.2.0/24 {
            next-hop 50.73.136.22 {
            }
        }
        route 50.73.136.0/24 {
            next-hop 50.73.136.22 {
            }
        }
        route 172.17.0.0/24 {
            next-hop 50.73.136.22 {
            }
        }
    }
}
service {
    ssh {
        port 32420
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name mediagiantdesign.com
    gateway-address 50.73.136.22
0
 
berkcomjonathanCommented:
I think you are trying to do ipsec vpn with ipip encapsulation.  There's some great Vyatta docs from their website if you need more info.  I would try something like this.  Define an ipsec tunnel terminating at the ipip tunnel.  Then route packets bound for remote networks to the tunnel address on the opposite side.  I'm not sure if this will work, but it will give you some idea about how to do it.

on location A:
==============
set vpn ipsec esp-group esp_locB compression 'enable'
set vpn ipsec esp-group esp_locB lifetime '1800'
set vpn ipsec esp-group esp_locB mode 'tunnel'
set vpn ipsec esp-group esp_locB pfs 'enable'
set vpn ipsec esp-group esp_locB proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp_locB proposal 1 hash 'sha1'
set vpn ipsec esp-group esp_locB proposal 2 encryption '3des'
set vpn ipsec esp-group esp_locB proposal 2 hash 'md5'
set vpn ipsec ike-group ike_locB lifetime '3600'
set vpn ipsec ike-group ike_locB proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike_locB proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_locB proposal 2 encryption 'aes128'
set vpn ipsec ike-group ike_locB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 50.73.136.21 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 50.73.136.21 authentication pre-shared-secret 'somesupersecret'
set vpn ipsec site-to-site peer 50.73.136.21 ike-group 'ike_locB'
set vpn ipsec site-to-site peer 50.73.136.21 local-ip '69.60.125.150'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 esp-group 'esp_locB'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 local-subnet '172.17.0.1/32'
set vpn ipsec site-to-site peer 50.73.136.21 tunnel 1 remote-subnet '172.17.0.2/32'
set protocols static route 216.255.177.0/24 next-hop 10.2.2.6


on location B:
==============
set vpn ipsec esp-group esp_locA compression 'enable'
set vpn ipsec esp-group esp_locA lifetime '1800'
set vpn ipsec esp-group esp_locA mode 'tunnel'
set vpn ipsec esp-group esp_locA pfs 'enable'
set vpn ipsec esp-group esp_locA proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp_locA proposal 1 hash 'sha1'
set vpn ipsec esp-group esp_locA proposal 2 encryption '3des'
set vpn ipsec esp-group esp_locA proposal 2 hash 'md5'
set vpn ipsec ike-group ike_locA lifetime '3600'
set vpn ipsec ike-group ike_locA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike_locA proposal 1 hash 'sha1'
set vpn ipsec ike-group ike_locA proposal 2 encryption 'aes128'
set vpn ipsec ike-group ike_locA proposal 2 hash 'sha1'
set vpn ipsec logging log-modes 'all'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 69.60.125.150 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 69.60.125.150 authentication pre-shared-secret 'somesupersecret'
set vpn ipsec site-to-site peer 69.60.125.150 ike-group 'ike_locA'
set vpn ipsec site-to-site peer 69.60.125.150 local-ip '50.73.136.21'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 esp-group 'esp_locA'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 local-subnet '172.17.0.2/32'
set vpn ipsec site-to-site peer 69.60.125.150 tunnel 1 remote-subnet '172.17.0.1/32'
set protocols static route 216.255.176.0/20 next-hop 10.2.2.5 <-- not sure about this one


The VPN reference guide has more examples that also might be helpful.  Hope that helps.
0
 
richardsimnettAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now